A North Korean threat actor has been allegedly linked to a breach targeting JumpCloud, a zero-trust directory platform service used for identity and access management.
Describing the malicious activity in an advisory published on Monday, Mandiant said the compromise resulted from a sophisticated spear-phishing campaign.
According to the security incident disclosure updated on July 20, JumpCloud reported that this unauthorized access impacted fewer than five customers and fewer than ten devices.
Read more on this attack: JumpCloud Confirms Data Breach By Nation-State Actor
Mandiant’s investigation into the attack now revealed that the intrusions were attributed to UNC4899, a hacking group associated with the Democratic People’s Republic of Korea (DPRK).
UNC4899 typically targets companies in the cryptocurrency vertical, and Mandiant assessed with high confidence that it operates under the DPRK’s Reconnaissance General Bureau (RGB).
“This is an excellent example of the convergence between state-sponsored threats and cyber-criminal activity, where the line between financial and intelligence motivations are fuzzy at best,” explained Mike Parkin, senior technical engineer at Vulcan Cyber.
“Assuming attribution to the DPRK is correct, it reinforces the image that in the context of cybercrime, they have little interest in being part of the solution.”
During their investigation, Mandiant discovered the attack path began with a Ruby script executed via the JumpCloud agent at a downstream customer, leading to the deployment of multiple backdoors.
These backdoors allowed the threat actor to maintain persistence and execute various commands on the compromised systems.
“The JumpCloud breach is another justification to extend security beyond the identity layer. SaaS applications and services providers are becoming a primary target for executing a supply chain-based attack,” said Corey O’Connor, director of products at DoControl.
“An organization’s identity layer serves as the new perimeter. Neglecting this reality, and choosing not to extend strong security controls further down the stack, will leave organizations vulnerable to these types of advanced nation-state attacks.”
Regarding operational security, Mandiant observed that UNC4899 and other DPRK threat actors occasionally made mistakes in their use of VPNs, which exposed their true IP addresses and revealed their North Korean origins.
More information about this threat is available in the company’s original advisory.